SIM Swapping - The Full Picture of Phone Number Hijacking

SIM swapping (SIM swap fraud) is an attack where the attacker tricks a mobile carrier into transferring the victim's phone number to the attacker's SIM card. By seizing control of the phone number, the attacker can bypass SMS authentication and gain unauthorized access to any service tied to that number - bank accounts, cryptocurrency wallets, email accounts, and more.

According to the FBI's Internet Crime Complaint Center (IC3), SIM swapping losses reach tens of millions of dollars annually. This article provides a systematic explanation from the technical mechanics of the attack to specific defensive measures.

How the Attack Works - 4 Phases

A SIM swapping attack progresses through stages from information gathering to execution. Understanding each phase is the first step toward defense.

Phase 1: Target Information Gathering

The attacker first collects the target's personal information. Using a combination of social engineering, phishing, purchases from data brokers, and information leaked in past data breaches, they obtain:

  • Full name, date of birth, address
  • Phone number, email address
  • Mobile carrier account information (account number, PIN code)
  • Answers to security questions used for identity verification (mother's maiden name, pet's name, etc.)

Phase 2: Impersonating the Victim to the Carrier

Armed with the collected information, the attacker contacts the mobile carrier's customer support. Using pretexts like "I lost my smartphone" or "my SIM card is broken," they request the phone number be transferred to a new SIM card. Since they can correctly answer identity verification questions, the operator believes they're dealing with a legitimate customer.

In some cases, attackers bribe carrier insiders to execute the SIM swap without going through proper procedures. In a 2023 US case, carrier employees were found to have participated in SIM swaps for a few hundred dollars per swap.

Phase 3: Phone Number Seizure

Once the SIM swap is complete, the victim's smartphone immediately loses signal. All calls and SMS are forwarded to the attacker's device. The minutes to hours before the victim notices something is wrong is the attacker's "golden time."

Phase 4: Account Takeover

With the phone number under their control, the attacker bypasses SMS-based two-factor authentication (2FA) to break into accounts. A typical attack scenario proceeds as follows:

  1. Use the email account's "forgot password" feature to receive a verification code via SMS
  2. Take over the email account, then chain password resets for banks, cryptocurrency exchanges, and social media
  3. Transfer cryptocurrency to the attacker's wallet or move funds from bank accounts

Why SMS Authentication Is Vulnerable

SMS-based 2FA uses phone number ownership as proof for the "second factor" of authentication. However, since phone numbers can be easily transferred via SIM swapping, they fail as proof of ownership.

NIST (National Institute of Standards and Technology) classified SMS as a "restricted" authentication method in SP 800-63B (2016), recommending migration to more secure alternatives. The reasons are clear:

  • SMS is transmitted as unencrypted plaintext. Exploiting SS7 protocol vulnerabilities allows interception along the communication path
  • A phone number is not a permanently bound personal identifier but a temporary assignment that can be transferred through carrier procedures
  • Beyond SIM swapping, multiple methods exist to circumvent SMS, including SS7 attacks, malware-based SMS interception, and voice phishing

SMS authentication is "better than nothing," but it's insufficient for protecting high-value accounts (financial, cryptocurrency, email).

Signs You've Been Hit by SIM Swapping

If even one of the following signs appears, suspect a SIM swapping attack and begin responding immediately:

  • Your smartphone suddenly loses signal and can't receive calls or SMS
  • You receive a notification from your carrier saying "SIM card change completed" (check via email or another device)
  • You can no longer log into email or social media accounts
  • You receive notifications of unrecognized transfers from bank accounts or cryptocurrency wallets
  • Contacts tell you "I received a suspicious message from your account"

If you notice an attack, first call your carrier to request SIM deactivation, then prioritize contacting financial institutions and changing passwords.

Defenses - Moving Away from SMS Authentication and Multi-Layered Protection

1. Adopt Hardware Security Keys

FIDO2/WebAuthn-compatible hardware security keys (YubiKey, Google Titan Security Key, etc.) are the strongest defense against SIM swapping. Authentication is based on physical device possession and cryptographic proof, making it impossible to breach through phone number hijacking.

Passkeys similarly use public-key cryptography for authentication without depending on SMS. Actively consider migrating to passkeys on supported services.

2. Switch to Authenticator Apps

TOTP (Time-based One-Time Password) apps like Google Authenticator, Microsoft Authenticator, and Authy are safer 2FA methods than SMS. Verification codes are generated within the device, so they can't be obtained through phone number hijacking.

However, backup code management for authenticator apps requires care. If backup codes are leaked, the authenticator app's protection is also neutralized.

3. Set Up Carrier SIM Lock (Port Freeze)

Many mobile carriers offer features that require additional authentication for SIM changes or number portability.

  • SIM Lock PIN: Requires a dedicated PIN code when changing the SIM
  • Port Freeze: Temporarily freezes number portability (MNP)
  • Account PIN: Requires additional authentication when contacting customer support

These settings can be enabled through your carrier's online portal or at a store. If you haven't set them up, do so immediately.

4. Minimize Personal Information Exposure

The starting point of SIM swapping is personal information collection. Reducing the information available to attackers is a fundamental defense.

  • Don't publish your date of birth, address, or phone number on social media
  • Review your social media privacy settings and minimize public visibility
  • Remove your information from data broker sites (opt-out procedures)
  • Regularly check your digital footprint to understand unnecessary information exposure
  • Check on IP Check-san how much of your IP address and network information is publicly visible

5. Separate Phone Numbers for Critical Accounts

Using a different phone number for financial institutions and cryptocurrency exchanges than your everyday number is also effective. By using Google Voice or a dedicated SIM card and keeping that number private, you make it harder for attackers to identify the target number.

Can eSIM Prevent SIM Swapping?

eSIM (embedded SIM) doesn't require physical SIM card replacement, leading some to claim it's "resistant to SIM swapping." However, even with eSIM, profile reissuance through carrier customer support is still possible.

The advantage of eSIM is preventing physical SIM card theft or replacement. However, since the essence of SIM swapping lies in the vulnerability of carrier identity verification processes, eSIM alone is not a fundamental solution. Combining eSIM adoption with carrier SIM lock settings and moving away from SMS authentication is essential.

Summary - Toward a Security Posture That Doesn't Depend on Phone Numbers

SIM swapping is an attack that exploits the "weak link" of phone numbers. As long as you depend on SMS authentication, no matter how strong your password, a single phone number hijacking can bring everything crashing down.

The core of defense is migrating the authentication foundation from phone numbers to cryptographic methods (hardware keys, passkeys, authenticator apps). Simultaneously, build multi-layered protection combining carrier SIM lock settings and personal information exposure management.

Start by checking your network information on IP Check-san to understand how much of your information is publicly visible.

Related Terms

Two-Factor Authentication (2FA) A security method that verifies identity using a second factor such as a physical device or biometrics in addition to a password. Methods include SMS, authenticator apps, and hardware keys. Social Engineering An attack technique that exploits human psychological weaknesses rather than technical means to extract confidential information. Includes impersonation, phishing, and pretexting. Phishing An attack that uses fake emails or websites impersonating legitimate services to steal sensitive information such as passwords and credit card numbers. Passkey A passwordless authentication method based on the FIDO2/WebAuthn standard. Uses public-key cryptography and offers high resistance to phishing and SIM swapping. IP Address A numerical address that identifies devices on the internet. Comes in two types, IPv4 and IPv6, used to specify communication endpoints.